A new variant of Android malware is responsible for what’s believed to be the biggest single theft of Google accounts. Dubbed Gooligan by researchers at Check Point, this malware has infected as many as 1.3 million Android phones since August 2016.Gooligan has been found in at least 86 apps available in third-party marketplaces.

“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.”

Gooligan, once in control, steals the tokens that authorize users to access accounts. Its main aim, though, is to force users into downloading apps as part of a huge advertising fraud scheme. Since it doesn’t manifest itself easily, it has made as much as $320,000 a month.

How The Gooligan Campaign Works

Once a device is infected, Gooligan completely compromipses the devices open by rooting them. It downloads a rootkit from the C&C server, using well-known VROOT and Towelroot on Android 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and 5 (Lollipop) devices.

When the device is successfully rooted, the attacker can execute privileged commands remotely. A malicious module is now downloaded and installed on the infected device. This module imitates user behavior by injecting code into running Google Play or GMS (Google Mobile Services), thus avoiding detection. This technique was first seen with the mobile malware HummingBad.

Android Developer | Electronics Undergrad
Pratyusha loves new gadgets and tinkering around with them. An avid coder, she likes playing around with Android and ML. She is currently a third year undergraduate student in Jadavpur University.